Despite becoming a bit over-marketed, zero trust is still one of the most important cybersecurity approaches for protecting your organization’s data, devices and applications. The basic idea is built around the assumption that every attempt to access your infrastructure is malicious until explicitly proven otherwise – with no exceptions.
Organizations have embraced zero trust with enthusiasm, supported by vendors keen to demonstrate how their solution adheres to the principles of zero trust. When it comes to zero trust for identity and access management, multi-factor authentication (MFA) has become the tool of choice, with more and more products forcing you to implement MFA rather than making it optional.
MFA is a great enabler of zero trust for identity, but in its current form, does it really go far enough or cover enough to truly meet the definition of zero trust?
Let’s take a closer look at the situation with what might be considered a silly analogy.
Imagine you have a nightclub, and everyone has to line up to get in and show ID. This is the equivalent of a username and password. Your ID is recorded, and you’re free to enter – you know who they are. Unless, of course, it’s a fake or stolen ID.
Some people trying to get in might look a bit young or their ID looks a bit suspicious. Perhaps they have been celebrating too hard, or just look like they’ll cause trouble, so that triggers an extra check like a 2nd piece of photo ID or a breathalyzer test. This is the equivalent of MFA – fail that and you can’t get in. The idea is to trigger that MFA test more often than not and with this setup, you’re feeling good about your nightclub security.
But what about when a VIP arrives? Someone vouches for them, or they get recognized, so they just get ushered straight through. They have privileged access and this person can seemingly go anywhere or do anything because their “credentials” look right – it must be “them”. But are you really sure because no proper checks were done? They had the right “username and password” – i.e. they looked like someone famous, or someone said they were important.
What about when a patron leaves the building for a couple of minutes and then wants to come back? If you have a pass-out process, you just let them back in, assuming they’re the same person as before with the same access rights. But what if it’s not the same person?
And here’s a scenario you might not have thought about. You have a maintenance entrance in the back for tradespeople, staff etc. How many times can someone wearing hi-vis and carrying a ladder get in with no checks? Maybe they have an ID badge on their hi-vis vest, but no one checks it properly. They give the right name, say why they’re here and get let in. This is the equivalent of service accounts or PowerShell access. Once in, they can also move about freely with few checks because there’s no one guarding the maintenance door.
With all these scenarios, we’ve assumed that the malicious activity through compromised credentials is going to come through the front door, and if that’s well protected, then we’ve implemented zero trust. However, malicious activity is more often looking for the back doors. Areas such as service accounts and access interfaces where traditional MFA can’t be applied, and compromised credentials are easier to exploit.
The point is that zero trust means zero trust but achieving this all-encompassing level of zero trust around identity is hard. However, it’s not impossible.
Let’s look at Silverfort’s unique approach to implanting this gold star standard of zero trust for identity and access management – that doesn’t require you to re-engineer your environment.
We look at three pillars to achieving this standard…
Pillar 1 – Unification
Unification refers to the ability to consolidate every authentication and access attempt across all on-prem and cloud resources to provide full visibility across your environment. You may have multiple identity access tools and these attempts could be made by human and machine users (service accounts) through any access interface, using any authentication protocol.
So, consolidating and unifying access attempts breaks down these identity siloes to enable visibility and protection across the entire IT stack. On paper, this makes complete sense, but in reality, consolidating multiple authentication tools to gain that valuable single view of all authentication and access attempts is notoriously difficult. Hybrid environments worsen the problem because on-prem and cloud authentication tools don’t talk to each other, so any insights gleaned by one tool won’t be shared with another. As a result, you can never get that complete picture, and every tool must start its evaluation from scratch. For attackers, the gaps exposed by siloed programs and processes are ripe for exploitation.
Pillar 2 | Context
Context is the ability to continuously create a behavioral baseline profile for every user account based on its entire authentication activity across all enterprise resources. In this way, context supports reliable and high-precision risk analysis for every new access attempt to determine whether or not a given user can be trusted to access a resource. In short, context allows us to know whether an authentication is legitimate or not – and not just based on the username or password, but other parameters such as whether a user’s behavior is anomalous.
It’s important to note that the ability to create context will only be as good as your unification efforts. Multiple disparate risk evaluation engines acting independently don’t allow you to build context around normal user behaviour because even with the best AI model, if it’s only ingesting two-thirds of your data, you will have authentication blind spots in the remaining third of your data. Your AI engine needs to see 100% of the data to determine whether a given authentication is legitimate or malicious.
Pillar 3 | Enforcement
Enforcement refers to the ability to trigger secure access controls via configured policies across every type of user, access interface or resource. It prevents – in real time – any malicious activity that attempts to utilize compromised credentials to access targeted resources. In short, Zero Trust enforcement blocks malicious access attempts at the validation point.
Existing tools can recognize the problem and provide an alert, but they cannot stop the activity immediately. For example, Active Directory can’t block access if the user name and password are correct, and we know that implicitly trusting credentials alone will not protect against identity-based attacks using compromised user credentials. Adding to the problem is the vast number of alerts generated for IT teams across different tools, which makes it easy for an identity alert to be overlooked.
You need to be able to combine rule-based enforcement – such as multi-factor authentication – with risk-based enforcement – such as an AI-based risk engine – in order to detect suspicious behavior and apply it to every access attempt in real-time.
Unified Identity Protection Platform: Identity-Based Zero Trust In Practice
Silverfort is the world’s first Unified Identity Protection platform that extends your existing MFA solution to all resources and access points to block identity-based attacks.
For unification, Silverfort seamlessly integrates with all existing IAM solutions (such as AD, ADFS, RADIUS, Azure AD, Okta, Ping Identity, AWS IAM, etc.), extending coverage to assets that, until today, couldn’t be protected. This includes:
- Legacy apps
- IoT devices
- Visibility and policy enforcement for machine-to-machine access
- IT infrastructure file systems, command-line tools and plenty more
For context and enforcement, Silverfort analyses all on-premises and cloud environment access requests, enriching them with contextual data and an AI-based risk engine to meticulously assess the risk associated with each access attempt. Appropriate security policies are then applied to allow or deny user access, or request the user to perform additional authentication to validate their identity before making the decision. When Silverfort detects malicious activities, the security teams are immediately notified. Access is denied, and action can be taken, knowing with confidence that it is not a false positive – Silverfort has already completed the necessary groundwork.
This is the only real way to implement a practical and actionable Zero Trust identity solution. If you’re serious about Zero Trust, Silverfort is the only real solution.
For more information or a demonstration visit silverfort.com